SecureTransport AWS Installation Guide - Version 5.4 16 April 2021 - Axway ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SecureTransport Version 5.4 16 April 2021 AWS Installation Guide
Copyright © 2021 Axway All rights reserved. This documentation describes the following Axway software: Axway SecureTransport 5.4 No part of this publication may be reproduced, transmitted, stored in a retrieval system, or translated into any human or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of the copyright owner, Axway. This document, provided for informational purposes only, may be subject to significant modification. The descriptions and information in this document may not necessarily accurately represent or reflect the current or planned functions of this product. Axway may change this publication, the product described herein, or both. These changes will be incorporated in new versions of this document. Axway does not warrant that this document is error free. Axway recognizes the rights of the holders of all trademarks used in its publications. The documentation may provide hyperlinks to third-party web sites or access to third-party content. Links and access to these sites are provided for your convenience only. Axway does not control, endorse or guarantee content found in such sites. Axway is not responsible for any content, associated links, resources or services associated with a third-party site. Axway shall not be liable for any loss or damage of any sort associated with your use of third-party content.
Revision history
The following changes are added to the SecureTransport 5.4 AWS Installation Guide:
SecureTransport Document revision Topics updated
version number
5.4 5.4.01 – initial version
5.4 5.4.02 – current New topic added: Deploy MS SQL database in Amazon
version RDS on page 45
Axway SecureTransport 5.4 AWS Installation Guide 3
Contents
1 Introduction 6
About SecureTransport 6
2 SecureTransport in Amazon Virtual Private Cloud 7
3 Create a VPC 11
4 Create Security Groups and Network Access Lists 12
Security Groups 12
SecureTransport Edge Security Group 14
SecureTransport Server Security Group 17
External Database Security Group 19
GlusterFS Security Group 19
Load Balancer Security Group 20
Administration Host Security Group 21
Network Access Lists 23
Access your servers using Administration host 24
Replacing the Administration Host with Amazon EC2 Systems Manager 25
Subnets 26
Create subnets 27
Internet Gateway and public subnets routing 28
Attach an Internet gateway 28
Routing of public subnets 30
NAT Gateway and private subnets routing 31
Create NAT Gateway 32
Configure private subnets route table 32
5 Amazon RDS 34
Deploy Oracle database in Amazon RDS 34
Create database Security Group 34
Create option group 35
Create Oracle database 36
Parameter Groups 41
Connect to your Oracle database 42
Create tables and set ownership of the Oracle database 43
Obtain the Database certificate and a Distinguished Name 44
Deploy MS SQL database in Amazon RDS 45
Create database Security Group 45
Create MS SQL database 45
Axway SecureTransport 5.4 AWS Installation Guide 4
Using SSL with Microsoft SQL Server database 50
Encrypt Specific Connections 52
Connect to your MS SQL database 52
Create tables and set ownership of the MS SQL database 53
Alternative to RDS Service 54
6 Launch RHEL instances 55
Launch an instance for the Administration Host 58
Launch SecureTransport Edge instances 59
Launch SecureTransport Server Instances 59
Set up GlusterFS Servers 60
Attach additional volumes 60
Install GlusterFS 60
7 Connect to your VPC 61
VPN 61
AWS Direct Connect 61
VPC peering 61
VPC endpoints 62
EC2 ClassicLink 62
Set up VPN connection 62
8 Set up Enterprise Cluster with streaming 66
Prerequisites 66
Install SecureTransport 66
9 Set up Classic Load Balancer 67
10 Criteria for a successful setup 73
Axway SecureTransport 5.4 AWS Installation Guide 5
Introduction
1
This document provides a detailed overview and detailed instructions to set up SecureTransport in
the Amazon Web Services (AWS) Virtual Private Cloud (VPC).
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the
Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that
you define. You have complete control over your virtual networking environment, including
selection of your own IP address range, creation of subnets, and configuration of route tables and
network gateways.
Learn more about Amazon VPC.
About SecureTransport
SecureTransport is part of the Axway family of managed file transfer (MFT) products.
SecureTransport allows organizations to adeptly control and manage the transfer of files inside and
outside of the corporate firewall in support of mission-critical business processes, while satisfying
policy and regulatory compliance requirements. SecureTransport serves as a hub and router for
moving files between humans, systems and more. SecureTransport also completes tasks related to
moving files (push or pull), hosting files in mailboxes or "FTP-like" folders, and provides portal
access with configurable workflow for file handling and routing. SecureTransport delivers user-
friendly governance and configuration capabilities, including delegated administration and pre-
defined and configurable workflows, while providing the highest possible level of security.
For a complete description of SecureTransport features and components, refer to the
SecureTransport Administrator's Guide.
Axway SecureTransport 5.4 AWS Installation Guide 6
SecureTransport in Amazon
Virtual Private Cloud 2
Currently, deployment of SecureTransport on AWS VPC has been verified for Red Hat 7.4 or later
implementations only in the following setup:
l Enterprise Cluster of two servers with streaming to two edges
l Oracle 12 Database Engine and Microsoft SQL Server 2017 Engine
l GlusterFS file system with two servers
l A Load Balancer (optional)
l A NAT Gateway (optional)
l An Administration Host (optional)
l Four private and two public subnets
l A VPN Connection (optional)
l Instances are assigned to five Security Groups
l All this located in two availability zones
Note For a multiple Availability Zone deployment, SecureTransport is supported in Enterprise
Cluster mode only. SecureTransport over AWS is not supported in Standard Cluster mode
when cluster nodes are deployed across multiple Availability zones. For a Standard Cluster
setup in AWS, all nodes must be located in the same Availability Zone.
AWS cloud computing resources are housed in highly available data center facilities. To provide
additional scalability and reliability, these data center facilities are distributed in different physical
locations, categorized by regions and Availability Zones.
Regions are large and widely dispersed into separate geographic locations. Availability Zones are
distinct locations within a region that are engineered to be isolated from failures in other Availability
Zones and provide inexpensive, low latency network connectivity to other Availability Zones in the
same region.
Each region is completely independent. Each Availability Zone is isolated, but the Availability Zones
in a region are connected through low-latency links. The following diagram illustrates the
relationship between regions and Availability Zones.
Axway SecureTransport 5.4 AWS Installation Guide 7
2 SecureTransport in Amazon Virtual Private Cloud
The goal is to provide a highly-available, fault-tolerant and secure setup of SecureTransport in the
Amazon Web Services Cloud.
The diagram illustrates a SecureTransport setup of an Enterprise Cluster in streaming mode with two
Edge servers, each deployed in a different Availability Zone. Amazon RDS service is used to set up
the Oracle / MS SQL database depending on your setup. Amazon Relational Database Service
(Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational
database in the cloud.
The setup is dispersed into two Availability Zones from one region in AWS. Each Availability zone
contains public and private subnets within your Virtual Private Cloud. The public subnets host the
SecureTransport Edge servers and the private subnets host the SecureTransport servers and the
external file system. The database instances are located in separate private subnets in the two
Availability Zones. The Edge servers are in a constant synchronization connection. The
SecureTransport servers are in an Enterprise Cluster setup and in a constant synchronization
Axway SecureTransport 5.4 AWS Installation Guide 8
2 SecureTransport in Amazon Virtual Private Cloud
connection as well. The SecureTransport servers are connected in streaming with the Edge server as
each server establishes streaming connections with both Edge servers. Internet-facing load balancer
distributes requests to the Edge servers in the two Availability Zones.
In case of a system failure in one of the Availability Zones, the other zone remains fully functional
with up to date system configuration. The SecureTransport Edge and server in the functional zone
continue to process requests.
The public subnets in AWS Cloud are the equivalent of the DMZ (demilitarized zone) in a classic on-
premise deployment. Amazon Web Services cloud provides security tools like Security Groups and
Network Access Control Lists (ACLs) to protect the public and private subnets in your VPC. These
tools act as the firewalls in the classic on-premise deployments and control both inbound and
outbound traffic at an instance and subnet level. There is a Network ACL between each tier of the
SecureTransport setup – public subnets, private subnets and private database subnets. The Network
ACL is a stateless firewall that works at the subnet level. Each group (Administration host, Edge
servers, Servers, File System, Database) and the Load Balancer have a corresponding security group.
The security group is a stateful firewall that works at the unit level (EC2 instance, LoadBalancer,
RDS).
There is a host placed in one of the public subnets called "Administration host" also known as
"Bastion host" in the networking terminology. Bastion hosts are instances that typically reside within
your public subnet and are usually accessed using SSH or RDP. Once remote connectivity is
established with the bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to
login to other publicly inaccessible instances. When properly configured through the use of security
groups and Network ACLs, the bastion host essentially acts as a bridge to your private instances via
the Internet. The Administration host is used to perform maintenance and administration tasks on
the servers in the SecureTransport setup. You should always consider the resiliency and high
availability of your services in cloud deployments and the best practice is to have an Administration
host in each availability zone in case one of the zones goes down. For minimal security risks, you
should stop your Administration host instances for the duration of no maintenance work and start
them when you need access to your servers in AWS again.
You can connect directly to your VPC using VPN in case you don't want to have an Administration
host in your setup (see VPN section in this guide).
The installation of SecureTransport on Red Hat instances in Amazon Web Services (AWS) cloud
follows the same flow as with the installation on a regular Red Hat machine, including the required
installation prerequisites. This process has already been described in the SecureTransport
Installation Guide.
You will pass through Amazon Web Services (AWS) cloud specific setup stages and configuration
until you can proceed with your SecureTransport installation.
To set up SecureTransport in Amazon Web Services VPC, you must pass through the following
steps:
1. Create a VPC.
2. Create Security Groups and Network Access Lists.
3. Create public and private subnets in two availability zones.
4. Internet Gateway and public subnets routing setup.
5. NAT Gateway and private subnets routing setup.
Axway SecureTransport 5.4 AWS Installation Guide 9
2 SecureTransport in Amazon Virtual Private Cloud
6. Amazon RDS service: Oracle or MS SQL database setup.
7. Amazon EC2 Red Hat instances launch.
a. Launch an instance for an Administration Host.
b. Launch instances in the public subnets for SecureTransport Edge installations.
c. Launch instances in the private subnets for SecureTransport Server installation.
d. Launch instances in the private subnets for external GlusterFS file system.
8. Establish VPN connection to your Amazon VPC.
9. Configure the SecureTransport Enterprise Cluster setup.
10. Set up Classic Load Balancer.
Axway SecureTransport 5.4 AWS Installation Guide 10Create a VPC
3
To create a VPC, follow these steps:
1. Log in to AWS and navigate to the AWS console -> Services.
2. Under Networking & Content Delivery section, choose VPC.
3. Navigate to Your VPCs and then click Create VPC.
4. Fill in the settings and click Yes, Create.
Note This is an example CIDR block size. You can configure the CIDR block according to your
needs.
Axway SecureTransport 5.4 AWS Installation Guide 11Create Security Groups and
Network Access Lists 4
Amazon VPC provides the following tools to help you increase the security of your VPC:
Security Groups on page 12 – these act as a firewall for associated Amazon EC2 instances,
controlling both inbound and outbound traffic at the instance level.
Network Access Lists on page 23 – also called ACLs, these act as a firewall for associated subnets,
controlling both inbound and outbound traffic at the subnet level.
Flow logs - Capture information about the IP traffic going to and from network interfaces in your
VPC. AWS provides two features that you can use to increase security in your VPC: security groups
and network ACLs. Security groups control inbound and outbound traffic for your instances, and
network ACLs control inbound and outbound traffic for your subnets. For more information, see
VPC Security.
For more details on security options, check the AWS Security Best Practices guide.
Note The suggested configurations with Security Groups and Network Access Lists as stated in
the current guide do not include outbound rules. For more information on best practices
for the outbound rules to apply for your setup, please refer to the SecureTransport
Administrator's guide.
Security Groups
An EC2 instance is a virtual machine in Amazon’s Elastic Compute Cloud (EC2) for running
applications on the Amazon Web Services (AWS) infrastructure.
When you launch an EC2 instance in a VPC, you can associate it with one or more security groups
that you've created. Each instance in your VPC could belong to a different set of security groups. If
you don't specify a security group when you launch an instance, the instance automatically belongs
to the default security group for the VPC. For more information about security groups, see Security
Groups for Your VPC.
We recommend you create the security groups you need for your SecureTransport infrastructure in
AWS as a first stage before proceeding with rest of the setup. You need to group (assign) the
instances and components into the following security groups:
l SecureTransport Edge security group
l SecureTransport Server security group
l External Database security group: Oracle or MS SQL
l External File System security group
Axway SecureTransport 5.4 AWS Installation Guide 124 Create Security Groups and Network Access Lists
l Load Balancer security group
l Administration Host security group
Later, during the launch process of the instances and the creation of different components
recommended for your SecureTransport setup, you will just select the security group you need from
the list. You can always create the Security Groups on a later stage but we suggest you adhere to the
flow as described.
To create a security group in Amazon VPC:
1. Navigate to the AWS console->Services.
2. Under the Networking & Content Delivery section, choose VPC.
3. Navigate to Virtual Private Cloud->Security->Security Groups and click Create Security
Group.
4. On the newly opened dialog box, enter the required information and click Yes, Create.
5. Select your security group from the "All security groups" table.
6. Edit the "Inbound Rules"/"Outbound Rules" section of the security group.
Axway SecureTransport 5.4 AWS Installation Guide 134 Create Security Groups and Network Access Lists
7. Use the Add another rule button to enable or disable access to your instances on specific
ports or sources.
You must add the necessary inbound/outbound rules to the security groups and the instances
assigned to each group will have the required for the group level of connectivity and security. Please
refer to the firewall specific information already provided in SecureTransport Administrator's Guide.
Note The rules defined in the following Security Groups cover the most basic security scenario.
If you would like more restrictive rules, you can add more Inbound and Outbound rules.
Note The described rules use default ports or ports specific for the test setup. Please change/add
rules according to your specific setup. Check the FTP does not work through the firewall
section in the SecureTransport Administrator's Guide if you want to configure FTP.
SecureTransport Edge Security Group
Allow inbound traffic according to the Firewall rules section as described in the SecureTransport 5.4
Administrator's Guide.
l Inbound traffic – this setup refers to traffic from the load balancer to the Edge serves.
Type Protocol Port / Port Source Description
Range
HTTP TCP 80 Load Balancer HTTP
Security Group
HTTPS TCP 443 Load Balancer HTTPS
Security Group
Custom TCP Rule TCP 10022 Load Balancer SSH (SFTP and
Security Group SCP)
Axway SecureTransport 5.4 AWS Installation Guide 144 Create Security Groups and Network Access Lists
Type Protocol Port / Port Source Description
Range
Custom TCP Rule TCP 21 Load Balancer FTP (secure and
Security Group non-secure)
control channel
(For secure
connections: the
firewall mustallow
bidirectional
communication)
Custom TCP Rule TCP 20 Load Balancer FTP (secure and
Security Group non-secure)
active-mode data
channel
Custom TCP Rule TCP User-defined Load Balancer FTP (secure and
range Security Group non-secure)
passive-mode data
channel
Custom TCP Rule TCP 10080 Load Balancer AS2(non-SSL)
Security Group
Custom TCP Rule TCP 10443 Load Balancer AS2 (SSL)
Security Group
Custom TCP Rule TCP 17617 Load Balancer PeSIT (non-SSL)
Security Group
Custom TCP Rule TCP 17627 Load Balancer PeSIT over secure
Security Group socket (non-
Transfer CFT
compatible)
Custom TCP Rule TCP 17637 Load Balancer PeSIT over secure
Security Group socket (CFT
compatible)
Custom TCP Rule TCP 19617 Load Balancer PeSIT over pTCP
Security Group plain socket
Custom TCP Rule TCP 19627 Load Balancer PeSIT over pTCP
Security Group Secured Socket
l Streaming – this setup refers to traffic from the ST servers to the Edge serves.
Axway SecureTransport 5.4 AWS Installation Guide 154 Create Security Groups and Network Access Lists
Type Protocol Port / Range Source Description
Custom TCP Rule TCP 20080 SecureTransport Streaming HTTP
Server Security Server
Group
Custom TCP Rule TCP 20022 SecureTransport Streaming SSH
Server Security Server
Group
Custom TCP Rule TCP 20021 SecureTransport Streaming FTP
Server Security Server
Group
Custom TCP Rule TCP 21080 SecureTransport Streaming AS2
Server Security Server
Group
Custom TCP Rule TCP 20444 SecureTransport Streaming
Server Security Administration
Group Tool Server
Custom TCP Rule TCP 27617 SecureTransport Streaming PeSIT
Server Security Server
Group
l Internal communication – refers to traffic between the Edge serves and traffic from the
Administration host.
Type Protocol Port or Port Source Description
Range
Custom TCP Rule TCP 33060 Administration Database
Host SG Administration
Custom TCP Rule TCP 33060 SecureTransport MySQL
Edge SG communication
Custom TCP Rule TCP 22 Administration SSH for
Host Security Administration
Group
Custom TCP Rule TCP 444 Administration Administration
Host Security Tool (HTTPS)
Group
Axway SecureTransport 5.4 AWS Installation Guide 164 Create Security Groups and Network Access Lists
Type Protocol Port or Port Source Description
Range
Custom TCP Rule TCP 444 SecureTransport Cluster
Edge Security Synchronization
Group
Custom TCP Rule TCP 8005 SecureTransport Tomcat shutdown
Edge Security
Group
Custom TCP Rule TCP 8006 SecureTransport AS2 shutdown
Edge Security
Group
Custom TCP Rule TCP 7800-7802 SecureTransport Hibernate second
Edge SG level cache
SecureTransport Server Security Group
Allow inbound traffic according to the Firewall rules section as described in the SecureTransport 5.4
Administrator's Guide.
Note Inbound traffic from 8088-8093 range should be allowed for both TCP and UDP protocols
from one SecureTransport Server to another (SecureTransport Server Security Group).
Type Protocol Port or Port Source Description
Range
Custom TCP Rule TCP 162 SecureTransport SNMP
Server Security
Group
Custom UDP Rule TCP 8088-8093 SecureTransport Cluster cache
Server Security management
Group
Custom UDP Rule UDP 8088-8093 SecureTransport Cluster cache
Server Security management
Group
Custom TCP Rule TCP 444 Administration Administration
Host Security Tool (HTTPS)
Group
Axway SecureTransport 5.4 AWS Installation Guide 174 Create Security Groups and Network Access Lists
Type Protocol Port or Port Source Description
Range
Custom TCP Rule TCP 44431 SecureTransport Cluster Listener
Server Security
Group
Custom TCP Rule TCP 9999 SecureTransport TM JMX Port
Server Security
Group
Custom ICMP Rule IPv4 Echo Reply SecureTransport Echo Reply
Server Security
Group
SSH SSH 22 Administration SSH for
Host Security Administration
Group
Custom TCP Rule TCP 8005 SecureTransport Tomcat shutdown
Server Security port
Group
Custom TCP Rule TCP 8009 SecureTransport Tomcat JK
Server Security connector
Group
Custom TCP Rule TCP 20444 SecureTransport Administration
Server Security Tool
Group
Custom TCP Rule TCP 7 SecureTransport Coherence
Server Security
Group
Custom TCP Rule TCP 7800-7802 SecureTransport Hibernate second-
Server Security level cache
Group
Custom ICMP Rule IPv4 Echo Request SecureTransport Echo Request
Server Security
Group
Axway SecureTransport 5.4 AWS Installation Guide 184 Create Security Groups and Network Access Lists
External Database Security Group
Allow inbound traffic depending on your selected database: Oracle or MS SQL.
Oracle Database Security Group
Type Protocol Port or Port Source Description
Range
Oracle RDS 1521 Administration Non-SSL access to
Host Security the database
Group
SecureTransport
Server Security
Group
Custom TCP Rule TCP 2484 Administration SSL access to the
Host Security database
Group
SecureTransport
Server Security
Group
MS SQL Database Security Group
Type Protocol Port or Port Source Description
Range
MS SQL TCP 1433 Administration Access to the
Host Security database
Group
SecureTransport
Server Security
Group
GlusterFS Security Group
Allow the following inbound traffic:
Axway SecureTransport 5.4 AWS Installation Guide 194 Create Security Groups and Network Access Lists
Type Protocol Port or Port Source Description
Range
SSH SSH 22 Administration Administration
Host Security Host Security
Group Group
Custom TCP Rule TCP 24007 GlusterFS Security Gluster Daemon
Group
SecureTransport
Server Security
Group
Custom TCP Rule TCP 111 GlusterFS Security Portmapper
Group
SecureTransport
Server Security
Group
Custom TCP Rule TCP 49152-49251 GlusterFS Security Each brick for
Group every volume on
SecureTransport your host requires
Server Security its own port
Group
Custom TCP Rule TCP 2049 GlusterFS Security NFS
Group
SecureTransport
Server Security
Group
Load Balancer Security Group
Allow the following inbound traffic:
Type Protocol Port or Port Source Description
Range
HTTP TCP 80 0.0.0.0/0 HTTP
HTTPS TCP 443 0.0.0.0/0 HTTPS
Custom TCP Rule TCP 10022 0.0.0.0/0 SSH (SFTP and
SCP)
Axway SecureTransport 5.4 AWS Installation Guide 204 Create Security Groups and Network Access Lists
Type Protocol Port or Port Source Description
Range
Custom TCP Rule TCP 21 0.0.0.0/0 FTP (secure and
non-secure)
control channel
(For secure
connections: the
firewall must allow
bidirectional
communication)
Custom TCP Rule TCP 20 0.0.0.0/0 FTP (secure and
non-secure)
active-mode data
channel
Custom TCP Rule TCP User-defined 0.0.0.0/0 FTP (secure and
range non-secure)
passive-mode data
channel
Custom TCP Rule TCP 10080 0.0.0.0/0 AS2(non-SSL)
Custom TCP Rule TCP 10443 0.0.0.0/0 AS2 (SSL)
Custom TCP Rule TCP 17617 0.0.0.0/0 PeSIT (non-SSL)
Custom TCP Rule TCP 17627 0.0.0.0/0 PeSIT over secure
socket (Transfer
CFT compatible)
Custom TCP Rule TCP 17637 0.0.0.0/0 PeSIT over secure
socket (CFT
compatible)
Custom TCP Rule TCP 19617 0.0.0.0/0 PeSIT over pTCP
plain socket
Custom TCP Rule TCP 19627 0.0.0.0/0 PeSIT over pTCP
Secured Socket
Administration Host Security Group
Allow the following inbound traffic:
Axway SecureTransport 5.4 AWS Installation Guide 214 Create Security Groups and Network Access Lists
Type Protocol Port or Port Source Description
Range
RDP TCP 3389 Your IP address Remote
connection to the
Administration
Host
Axway SecureTransport 5.4 AWS Installation Guide 224 Create Security Groups and Network Access Lists
Network Access Lists
You can secure your VPC instances using only security groups and in general they are sufficient to
secure your subnets, but we recommend you to add network ACLs as a second layer of defense. For
more information about network ACLs, see Network ACLs.
l Create one Network ACL for your public subnets hosting the SecureTransport Edge servers and
add inbound/outbound rules limiting the access to the required minimum for the relevant
subnets.
l Create one Network ACL for your private subnets hosting the SecureTransport servers and add
inbound/outbound rules limiting the access to the required minimum for the relevant subnets.
l Create one Network ACL for the private subnets hosting the database instances and add
inbound/outbound rules limiting the access to the required minimum for the relevant subnets.
Later after you create the subnets, associate them with their corresponding Network ACL.
To create Network Access Lists in Amazon VPC:
1. Navigate to the AWS console -> Services.
2. Under the Networking & Content Delivery section, choose VPC.
3. Navigate to Virtual Private Cloud -> Security -> Network ACLs.
4. Select Create Network ACL, enter a meaningful name, choose your VPC and confirm by clicking
Yes, Create.
5. Enter Inbound/Outbound rules relevant for the subnets that will be associated with this
Network ACL and then click Save.
Axway SecureTransport 5.4 AWS Installation Guide 234 Create Security Groups and Network Access Lists
6. Associate the corresponding subnets with this Network ACL and save.
Access your servers using Administration host
When designing the Administration host for your AWS infrastructure, you should use it only for
maintenance and administration tasks and avoid opening unnecessary security holes. You need to
keep it locked down as much as possible. You could look into hardening your chosen operating
system for even tighter security. You should stop your Administration host instances for the duration
with no maintenance work and start them when you need access to your servers in AWS in order to
minimize the security risks.
Here are the basic steps for creating a bastion host for your AWS infrastructure (see section Launch
an instance for Administration Host):
l Launch an EC2 instance.
l Apply your OS hardening as required.
Axway SecureTransport 5.4 AWS Installation Guide 244 Create Security Groups and Network Access Lists
l Set up the appropriate security groups (SG).
l Implement either SSH-Agent Forwarding (Linux connectivity) or Remote Desktop Gateway
(Windows connectivity).
l Deploy an AWS bastion host in each of the Availability Zones you’re using.
Find more information about the Bastion host architecture in AWS in the Linux Bastion Architecture
documentation. See also the Linux Bastion hosts on the AWS cloud guide.
See also the How to record ssh sessions established through a bastion host topic for closer
monitoring over this host.
Security groups are essential for maintaining tight security and play a big part in making this
solution work. First, you need to create a security group or update an existing security group that
will be used to allow connectivity from the Administration host for your existing private instances
(see the SecureTransport Server Security Group in the Security section of the guide). This SG should
only accept SSH or RDP inbound requests from your Administration hosts across your Availability
Zones. Apply this group to all your private instances that require connectivity.
Next, create a security group to be applied to your Administration host. Inbound and outbound
traffic must be restricted at the protocol level as much as possible. The inbound rule base should
accept SSH or RDP connections only from specific IP addresses (usually those of your
administrators’ work computers). See the Administration Host Security Group in the Security Groups
section of this guide. Your outbound connection should again be restricted to SSH or RDP access to
the private instances of your AWS infrastructure. An easy way to do this is to populate the
‘Destination’ field with the ID of the security group you are using for your private instances.
SSH and RDP connections require private and public key access to authenticate. This does not pose
a problem when you are trying to connect to your Administration host from a local machine, as you
can easily store the private key locally. However, once you have connected to your Administration
host, logging in to your private instances from this host would require having their private keys on
the Administration host (storing private keys on remote instances is not a good security practice).
As a result, you should implement either Remote Desktop Gateway (for connecting to Windows
instances) or SSH-agent forwarding (for Linux instances). Both of these solutions eliminate the need
for storing private keys on the Administration host. AWS provides detailed documentation on how
to implement Windows Remote Desktop Gateway and SSH-agent forwarding.
Replacing the Administration Host with Amazon
EC2 Systems Manager
There is an alternative solution to having an Administration host with access to your private servers
in the VPC and it is called Amazon EC2 Systems Manager.
Systems Manager allows you to remotely execute commands on managed hosts without using an
Administration host. A host-based agent polls Systems Manager to determine if there is a command
awaiting execution.
You can find more information about this option in the Replacing a Bastion Host with Amazon EC2
Systems Manager topic.
Axway SecureTransport 5.4 AWS Installation Guide 254 Create Security Groups and Network Access Lists
There is no cost to use Systems Manager but you are responsible for the costs of the resources that
use Systems Manager, such as the EC2 instances, SNS messages, and S3 storage.
Subnets
After creating a VPC, you can add one or more subnets in each Availability Zone. Public Subnets
have access to the Internet, while private do not. When you create a subnet, you specify the CIDR
block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely
within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are
engineered to be isolated from failures in other Availability Zones. By launching instances in
separate Availability Zones, you can protect your applications from the failure of a single location.
Learn more about VPCs and Subnets.
In the following example, the VPC on the left has a single CIDR block (10.0.0.0/16) and two
subnets.
Axway SecureTransport 5.4 AWS Installation Guide 264 Create Security Groups and Network Access Lists
Create subnets
Create six subnets (four private and two public) as follows:
Two private and one public subnets per availability zone.
1. Navigate to the AWS console Services.
2. Under Networking & Content Delivery section choose.
3. Navigate toSubnets and Create Subnet.
4. Fill the settings and click Yes, Create.
l Name tag: specify unique name for each subnet
l VPC: select you VPC for all subnets
l Availability Zone: create each subnet in a different zone
For example: the first public and the first and third private subnets are in eu-west-1 b.
The second public and the second private subnets are in eu-west-1 c.
l IPv4 CIDR block: for each subnet specify a different block
For example:
o 172.31.0.0/24 - Public1
o 172.31.3.0/24 - Public2
o 172.31.1.0/24 - Private1
o 172.31.2.0/24 - Private2
o 172.31.4.0/24 - Private3
o 172.31.5.0/24 - Private4
Note This is an example CIDR block size. You can configure the CIDR block according to your
needs.
5. Repeat the steps for the rest subnets.
Axway SecureTransport 5.4 AWS Installation Guide 274 Create Security Groups and Network Access Lists
Internet Gateway and public subnets routing
An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that
allows communication between instances in your VPC and the Internet. It therefore imposes no
availability risks or bandwidth constraints on your network traffic.
An Internet gateway serves two purposes: to provide a target in your VPC route tables for Internet-
routable traffic, and to perform network address translation (NAT) for instances that have been
assigned public IPv4 addresses.
In order for the resources in a VPC to send and receive traffic from the Internet, the following
conditions must be met:
l An Internet gateway must be attached to the VPC.
l The route tables associated with your public subnet (including custom route tables) must have
a route to the Internet gateway.
l The security groups associated with your VPC must allow traffic to flow to and from the
Internet.
l Any instances in the VPC must either have a public IP address or an attached Elastic IP address.
You can find instructions for each of these steps at Creating a VPC with an Internet Gateway.
Attach an Internet gateway
Follow these steps to attach an Internet gateway to your VPC to enable communication of the public
subnets with the Internet:
1. Navigate to the AWS console -> Services.
2. Under the Networking & Content Delivery section, choose VPC.
3. Navigate to Virtual Private Cloud -> Internet Gateways.
4. Click Create Internet Gateway.
Axway SecureTransport 5.4 AWS Installation Guide 284 Create Security Groups and Network Access Lists
5. Type a name in the Name tag text box and click Yes, Create.
The internet gateway just created is in a "detached" state. Your next step is to attach it to your
VPC.
6. Click Attach to VPC.
Axway SecureTransport 5.4 AWS Installation Guide 294 Create Security Groups and Network Access Lists
7. Select your VPC from the Name tag drop-down list and click Yes, Attach.
On success, the state of the internet gateway changes to "attached".
Routing of public subnets
Now you need to configure the routing for your public subnets. Enable traffic from your public
subnets to Internet by using the internet gateway attached to the VPC.
Configure the public subnets Route Table:
1. Navigate to VPC Dashboard -> Subnets.
2. Select your first public subnet from the list and navigate to its Summary section.
3. Click on the name of the Route Table of the subnet.
4. You are then redirected to the Route Table in the Virtual Private Cloud -> Route Tables section.
5. Add two routes for the Route Table - one for the traffic to the Internet to be routed using the
Internet Gateway.
Axway SecureTransport 5.4 AWS Installation Guide 304 Create Security Groups and Network Access Lists
6. Add new rules: for destination type 0.0.0.0/0 (all packets for the internet) and for target
choose the Internet Gateway you have created as in the previous subtopic.
7. Save the rules.
8. Navigate to "Subnet Associations" tab and associate your public subnets to the route table and
save the changes.
Now traffic from instances in the public subnets destined to the Internet will be redirected to the
Internet Gateway.
NAT Gateway and private subnets routing
NAT Gateway in AWS can provide your private instances with access to the Internet for essential
software updates while blocking incoming traffic from the outside world.
The private subnets in your VPC should have access to Internet only through an AWS feature called
NAT Gateway. The NAT Gateway configuration is optional and you can skip it if you want your
instances in the private subnets to be completely restricted from accessing the Internet.
You can use a network address translation (NAT) gateway to enable instances in a private subnet to
connect to the Internet or other AWS services, but prevent the internet from initiating a connection
with those instances.
Learn more about NAT.
Axway SecureTransport 5.4 AWS Installation Guide 314 Create Security Groups and Network Access Lists
To create a NAT gateway, you must specify a subnet and an Elastic IP address. Make sure that the
Elastic IP address is currently not associated with an instance or a network interface.
Create NAT Gateway
Configure NAT Gateway for private subnets in your VPC:
1. Navigate to the AWS console -> Services.
2. Go to the Networking & Content Delivery section and click VPC.
3. Navigate to Virtual Private Cloud -> NAT Gateways -> Create NAT Gateway.
4. On the newly opened page select a public subnet from the Subnet drop-down list in which to
create the NAT gateway.
5. Assign an Elastic IP Address to the NAT Gateway.
6. Click Create a NAT Gateway.
Now you need to configure the routing for your private subnets. Enable traffic from your private
subnets to Internet by using the NAT Gateway you have created.
Configure private subnets route table
1. Navigate to VPC Dashboard -> Subnets.
2. Select one of your private subnets from the list and navigate to its Summary section.
3. Click on the name of the Route Table of the subnet.
4. You are then redirected to your Route Table in the Virtual Private Cloud -> Route Tables
subsection.
5. Add a new rule and for destination type 0.0.0.0/0 (all packets for the internet) and for target
choose the NAT Gateway you created as in the previous subtopic.
6. Save the rules and now the traffic from instances in the private subnets destined to the Internet
will be redirected to the NAT Gateway.
Axway SecureTransport 5.4 AWS Installation Guide 324 Create Security Groups and Network Access Lists
7. Save the rules.
8. Navigate to the Subnet Associations tab and associate your private subnets with the route table
and save the changes.
Now traffic from instances in the private subnets destined for the Internet will be redirected to the
NAT Gateway.
Axway SecureTransport 5.4 AWS Installation Guide 33Amazon RDS
5
Amazon Relation Database Service (Amazon RDS) is a web service that allows youto set up, operate,
and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an
industry-standard relational database and manages common database administration tasks.
The DB instance is the basic building block of Amazon RDS and is defined as an isolated database
environment in the cloud. A DB instance can contain multiple user-created databases, and you can
access it by using the same tools and applications that you use with a stand-alone database
instance.
Each DB instance runs a DB engine. For the list of supported database engines in the Amazon RDS
environment, refer to Axway and third-party software support on page 1.
Deploy Oracle database in Amazon RDS
Create database Security Group
First, create a Security Group for your database:
1. Navigate to AWS console -> Services.
2. Go to the Compute section and select EC2.
3. Go to the Network & Security section and select Security Groups.
4. Click Create Security Group.
Axway SecureTransport 5.4 AWS Installation Guide 345 Amazon RDS
5. After created, select the Security Group and go to Actions -> Add/Edit Tags.
6. In the Key text box type Name, and in the Value text box enter OracleDB.
7. Click Save.
Create option group
If you would like to make a SSL connection to your Oracle DB, you should first create an Option
group:
1. Navigate to AWS console -> Services.
2. Go to the Database section and select RDS.
3. Go to Option groups and click Create group.
4. After the group is created, select it and click Add option.
5. On the Option drop-down list, select SSL.
6. Specify the SSL Port.
7. Select Security Group for which this option is enabled - select the previously created Database
Security Group.
Axway SecureTransport 5.4 AWS Installation Guide 355 Amazon RDS
8. On the Apply immediately options, select Yes.
Create Oracle database
1. Navigate to AWS Console -> Services.
2. Go to the Database section and select RDS.
3. Go to Instances and click Launch DB Instance.
4. Select Oracle -> Enterprise Edition.
5. For Use Case, select Production.
Axway SecureTransport 5.4 AWS Installation Guide 365 Amazon RDS
6. Specify the DB Details.
Add your DB Instance Identifier and Master user credentials.
Axway SecureTransport 5.4 AWS Installation Guide 375 Amazon RDS
7. Click Next.
8. Configure the Advanced Settings:
l Launch the Database in your VPC.
l Choose whether your database to be publicly accessible or no.
Select Yes if you want to allow EC2 instances and devices outside the VPC that hosts the
DB instance to connect to this DB instance. If you select No, Amazon RDS will not assign
a public IP address to the DB instance, and no EC2 instance or devices outside of the
VPC will be able to connect. If you select Yes, you must also select one or more VPC
security groups that specify which EC2 instances and devices can connect to the DB
instance. Click here to learn more.
l Select the Availability Zone from the current region in which you want the DB instance
created.
Note: For high availability and fault tolerance, we recommend you to create a DB replica in
different zones in the previous step.
l Select the Database Security Group you created as described in the Create database
Security Group subtopic.
Axway SecureTransport 5.4 AWS Installation Guide 385 Amazon RDS
9. Add your Database Options:
l Set a Database name.
l Specify a Database port.
l Select the previously created SSL Option Group.
l Leave Character set name to the default value: AL32UTF8.
Axway SecureTransport 5.4 AWS Installation Guide 395 Amazon RDS
l Select Enable Encryption and follow the instructions to supply your Master key IDs
and aliases.
l Add your preferences for Monitoring and Maintenance.
Axway SecureTransport 5.4 AWS Installation Guide 405 Amazon RDS
10. When you finish with your setup, click Launch DB instance.
Parameter Groups
You manage your DB engine configuration through the use of parameters in a DB parameter group.
DB parameter groups act as a container for engine configuration values that are applied to one or
more DB instances.
You cannot modify the parameter settings of a default DB parameter group; you must create your
own DB parameter group to change parameter settings from their default value according to the
Requirements for Oracle Databases section in theSecureTransport5.4 Installation Guide.
Create a parameter group
1. Navigate to AWS console -> Services.
2. Go to the Database section and select RDS.
3. Go to Parameter groups and click Create parameter group.
Axway SecureTransport 5.4 AWS Installation Guide 415 Amazon RDS
4. Fill in the fields and click Create.
5. After creation, select the parameter group and go to Parameter group actions and click Edit.
6. Find the parameter that you would like to change and click Edit parameters.
7. Insert the desired value and then click Save changes.
8. Change the following parameters according to the database requirements:
l db_cache_size: 1GB or larger
l open_cursors: at least 1000
l processes: 1000 or more
Learn more about DB Parameter Groups.
Assign the parameter group to your database
1. Navigate to RDS Instances.
2. Select your database and then go to Instance actions -> Modify.
3. Go to the Database options section and select your DB parameter group from the drop-down
list.
4. Save and apply changes immediately.
5. Restart your database.
Connect to your Oracle database
1. Navigate to AWS console -> Services.
2. Go to the Database section and select RDS.
Axway SecureTransport 5.4 AWS Installation Guide 425 Amazon RDS
3. Navigate to Instances.
4. Select your newly created Database and then go to Instance Actions ->See Details.
5. Under the Security and network section, see Endpoint: you will need to copy & paste it in the
next step.
6. Use Oracle SQL Developer on your Administration Host.
Add new connection and provide values for the following options:
l Connection Name: type a name that describes the connection
l Username: name of the database administrator
l Password: password for the database administrator
l Hostname: paste the Endpoint
l Port: 1521
l SID: ORCL
For further reference, see Connecting to Oracle DB.
Create tables and set ownership of the Oracle
database
Use the following script:
CREATE SMALLFILE TABLESPACE "ST_DATA"
DATAFILE SIZE 5000M AUTOEXTEND ON NEXT 12K MAXSIZE 8000M
LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO;
CREATE SMALLFILE TABLESPACE "ST_FILETRACKING"
DATAFILE SIZE 5000M AUTOEXTEND ON NEXT 12K MAXSIZE 8000M
LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO;
CREATE SMALLFILE TABLESPACE "ST_SERVERLOG"
DATAFILE SIZE 5000M AUTOEXTEND ON NEXT 12K MAXSIZE 8000M
LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO;
CREATE USER ST IDENTIFIED BY ST;
grant connect to ST;
Axway SecureTransport 5.4 AWS Installation Guide 435 Amazon RDS
grant create operator to ST;
grant create procedure to ST;
grant create sequence to ST;
grant create session to ST;
grant create table to ST;
alter user ST quota unlimited on ST_DATA;
alter user ST quota unlimited on ST_FILETRACKING;
alter user ST quota unlimited on ST_SERVERLOG;
alter user ST quota unlimited on USERS;
Obtain the Database certificate and a
Distinguished Name
Execute the following command from one of your RHEL Instances which have access to the
database:
openssl s_client -connect :
where is the Endpoint.
Create directories for the exported files
If you would like to run Maintenance applications and export logs, you will have to create a
directory on the RDS service. This directory will contain the exported files.
To create a new directory, you can use the Amazon RDS procedure dsadmin.rdsadmin_
util.create_directory.
The following example creates a new directory named ST_DMPDIR:
exec rdsadmin.rdsadmin_util.create_directory(p_directory_name => 'ST_DMPDIR');
You can list the directories by querying DBA_DIRECTORIES. The system chooses the actual host
pathname automatically. The following example gets the directory path for the directory named
ST_DMPDIR:
select DIRECTORY_PATH from DBA_DIRECTORIES where DIRECTORY_NAME='ST_DMPDIR';
The master user for the DB instance has read and write privileges in the new directory, and can grant
access to other users. You will need to grant read and write privileges to your SecureTransport user.
Axway SecureTransport 5.4 AWS Installation Guide 445 Amazon RDS
Execute privileges are not available for directories on a DB instance. Directories are created in your
main data storage space and will consume space and I/O bandwidth.
List Files in a DB Instance Directory
You can use the Amazon RDS procedure rdsadmin.rds_file_util.listdir to list the
files in a directory.
The following example lists the files in the directory named ST_DMPDIR:
select * from table (rdsadmin.rds_file_util.listdir(p_directory => 'ST_
DMPDIR'));
Learn more about Creating directories in RDS.
Deploy MS SQL database in Amazon RDS
Create database Security Group
First, create a Security Group for your database:
1. Navigate to AWS console -> Services.
2. Go to the Compute section and select EC2.
3. Go to the Network & Security section and select Security Groups.
4. Click Create Security Group and provide your values for the inbound rules.
5. After created, select the Security Group and go to Actions -> Add/Edit Tags.
6. In the Key text box type Name, and in the Value text box enter MS SQL DB.
7. Click Save.
Create MS SQL database
1. Navigate to AWS Console -> Services.
2. Go to the Database section and select RDS.
3. Go to Instances and click Launch DB Instance.
Axway SecureTransport 5.4 AWS Installation Guide 455 Amazon RDS
4. Select Microsoft SQL Server -> SQL Server Enterprise Edition.
5. For Use Case, select Production.
6. Specify the DB Details.
7. Add your DB Instance Identifier and Master user credentials.
Axway SecureTransport 5.4 AWS Installation Guide 465 Amazon RDS
8. Click Next.
9. Configure Advanced Settings:
l Launch the Database in your VPC.
l Choose whether your database to be publicly accessible or no.
Select Yes if you want to allow EC2 instances and devices outside the VPC that hosts the
DB instance to connect to this DB instance. If you select No, Amazon RDS will not assign
a public IP address to the DB instance, and no EC2 instance or devices outside of the
VPC will be able to connect. If you select Yes, you must also select one or more VPC
security groups that specify which EC2 instances and devices can connect to the DB
instance. Click here to learn more.
l Select the Availability Zone from the current region in which you want the DB instance
created.
Note: For high availability and fault tolerance, we recommend you to create a DB replica in
different zones in the previous step.
Axway SecureTransport 5.4 AWS Installation Guide 475 Amazon RDS
10. Select the Database Security Group you created as described in the Create database Security
Group subtopic.
11. Add your Database Options:
l Set a Database name.
l Specify a Database port.
l Select the previously created Parameter Group (only if you would like to force the SSL
connections)
l Leave the default Option Group.
l Select the Encryption – enable or disable it.
Axway SecureTransport 5.4 AWS Installation Guide 485 Amazon RDS
l Select Backup retention period (not mandatory).
l Select Monitoring (not mandatory) – enable or disable it.
l Select Maintenance (not mandatory) – enable or disable it (not mandatory).
12. Click on Create Database.
Axway SecureTransport 5.4 AWS Installation Guide 495 Amazon RDS
13. When you finish with your setup, click Launch DB instance.
Using SSL with Microsoft SQL Server database
You can use Secure Sockets Layer (SSL) to encrypt connections between your client applications
and your Amazon RDS DB instances running Microsoft SQL Server. SSL support is available in all
AWS regions for all supported SQL Server editions.
When you create a SQL Server DB instance, Amazon RDS creates an SSL certificate for it. The SSL
certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to
guard against spoofing attacks.
Axway SecureTransport 5.4 AWS Installation Guide 505 Amazon RDS
Force all SSL connections
The first way is to secure your database is to Force SSL for all connection – this happens
transparently to the client, and the client does not have to do any work to use SSL.
You could do this by creating a Parameter Group:
1. Navigate to AWS console -> Services.
2. Go to the Database section and select RDS.
3. Go to Parameter groups and click Create parameter group.
4. Select the values in the following fields:
l Parameter group family
l Group name
l Description (optional)
5. When you finish with your selections, click Create.
6. After creation, select the parameter group and go to Parameter group actions and click Edit.
7. Find the parameter that you would like to change and click Edit parameters.
l Set the rds.force_ssl parameter to true to force connections to use SSL. The
rds.force_ssl parameter is static, so after you change the value, you must reboot
your DB instance for the change to take effect.
Axway SecureTransport 5.4 AWS Installation Guide 515 Amazon RDS
8. Insert the desired value and then click Save changes.
Assign the parameter group to your database
1. Navigate to RDS Instances.
2. Select your database and then go to Instance actions -> Modify.
3. Go to the Database options section and select your DB parameter group from the drop-down
list.
4. Save and apply changes immediately.
5. Restart your database.
Encrypt Specific Connections
To use SSL from a specific client, you must obtain certificate, upload it to the client computer and
then specify it during the SecureTransport installation.
You could execute the following command to obtain the certificate file and certificate CN:
openssl s_client -connect : where is the
database Endpoint.
Learn more about Using SSL with a Microsoft SQL Server DB Instance.
Connect to your MS SQL database
1. Navigate to AWS console -> Services.
2. Go to the Database section and select RDS.
3. Navigate to Instances.
4. Select your newly created Database and then go to Instance Actions ->See Details.
5. Under the Security and network section, see Endpoint: you will need to copy & paste it in the
next step.
Axway SecureTransport 5.4 AWS Installation Guide 525 Amazon RDS
6. Use Microsoft SQL Management Studio on your Administration Host.
Add new connection and provide values for the following options:
l Server type – select Database Engine
l Server name – paste the newly created endpoint from the RDS MS SQL Database
l Authentication – select SQL Server Authentication
l Login – database administrator login name
l Password – database administrator password
Create tables and set ownership of the
MS SQL database
Use the following script to create a table:
USE master;
GO
CREATE DATABASE STDB ON PRIMARY (NAME=STDB1, FILENAME ='D:\RDSDBDATA\DATA\STDB.mdf', MAXSIZE
= 4GB, FILEGROWTH = 5MB);
ALTER DATABASE STDB ADD FILEGROUP ST_DATA;
ALTER DATABASE STDB ADD FILEGROUP ST_FILETRACKING;
ALTER DATABASE STDB ADD FILEGROUP ST_SERVERLOG;
ALTER DATABASE STDB ADD FILE (NAME='ST_DATA_STDB', FILENAME = 'D:\RDSDBDATA\DATA\ST_DATA_
STDB.ndf', SIZE = 200MB, FILEGROWTH=50MB) TO FILEGROUP ST_DATA;
ALTER DATABASE STDB ADD FILE (NAME='ST_FILETRACKING_STDB', FILENAME='D:\RDSDBDATA\DATA\ST_
FILETRACKING_STDB.ndf', SIZE = 50MB, FILEGROWTH=10MB) TO FILEGROUP ST_FILETRACKING;
ALTER DATABASE STDB ADD FILE (NAME='ST_SERVERLOG_STDB', FILENAME='D:\RDSDBDATA\DATA\ST_
SERVERLOG_STDB.ndf', SIZE = 200MB, FILEGROWTH=10MB) TO FILEGROUP ST_SERVERLOG;
ALTER DATABASE STDB SET READ_COMMITTED_SNAPSHOT ON;
GO
Use the following script to create user login:
USE STDB;
CREATE LOGIN STDB WITH PASSWORD='STDB', DEFAULT_DATABASE=STDB, CHECK_POLICY=OFF, CHECK_
EXPIRATION=OFF;
GO
USE STDB;
EXEC sp_grantdbaccess 'STDB', 'STDB';
EXEC sp_addrolemember 'db_ddladmin', 'STDB';
EXEC sp_addrolemember 'db_datareader', 'STDB';
Axway SecureTransport 5.4 AWS Installation Guide 535 Amazon RDS
EXEC sp_addrolemember 'db_datawriter', 'STDB';
GO
Alternative to RDS Service
If you would prefer not to use the AWS RDS Service, you can easily replace it with two RHEL
Instances with an Oracle 12 EE or MS SQL Server 2017 EE database setup on each.
The Oracle or MS SQL RHEL instances should follow the same rules:
1. One instance in each availability zone.
2. Each instance in a separate private subnet.
3. Both instances in one Database Security Group as defined in Security Groups and Network
Access Lists.
Axway SecureTransport 5.4 AWS Installation Guide 54You can also read
